IDT changed, rootkit ? (addresses in 'unknown code page')

#673 by Sledge337
Mon Apr 12, 2010 11:14 pm

Hi,

I'm wondering, if my PC is infected by some rootkit.

I've become a really suspicious after my computer was infected by some spyware for some weeks that came bundled with Ventrilo-Mix. I wasn't really suspicious before that and did everything with an admin account. I thought a Firewall, all updates and taking care a bit, what apps I download and run, is enough and the occasional malware scan is eough for my needs.

So now, whenever something seems odd, an alarm bell rings in my head. This time it was the heavy auto-updating activity of my firewall Zonealarm serveral times a day that seemed strange and I also noticed lots of disk-activity, when I actually didn't so much.

Some anti-malware tools just failed to start, anyway I cleaned up a bit, removed Zonealarm for now, removed some suspicious driver that later seemed to belong to demon tools, removed some drivers of some security tools that I didn't use anymore, ran combofix, icesword, gwer ... Some things are still odd like Rootrepel freezes at start with 'initializing' and rkunhook fails all the time with '02. error loading datafile' except for the current beta release, which seems to work. I also got some blue screens recently that I didn't experience before and suddenly had problems with remote desktop logins ( which might have other reasons though )

Well, none of the tools say explicitly that I'm infected by a rootkit, yet I'm still suspicious about the modified IDT pointing to some 'unknow code page', which my notebook running the same windows version doesn't show and now I want to track it down.

Code: Select all

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-13 00:10:53
Windows 5.1.2600 Service Pack 3
Running: pzj27qqp.exe; Driver: C:\DOCUME~1\Admin\LOCALS~1\Temp\kxldapow.sys


---- System - GMER 1.0.15 ----

INT 0x63        ?                                                                        FB59EAE4
INT 0x73        ?                                                                        FBA34044
INT 0x83        ?                                                                        FB5A4044
INT 0x92        ?                                                                        FB5CD9C4
INT 0x93        ?                                                                        FB75291C
INT 0x94        ?                                                                        FB7EA044
INT 0xA4        ?                                                                        FB7C115C
INT 0xB1        ?                                                                        FBA3A044
INT 0xB4        ?                                                                        FB5A0AD4

---- Kernel code sections - GMER 1.0.15 ----

.text           C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                 section is writeable [0xF4A61380, 0x550AF5, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text           C:\Program Files\Mozilla Firefox\firefox.exe[1680] ntdll.dll!LdrLoadDll  7C9163C3 5 Bytes  JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Fastfat \Fat                                                 fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

I'm suspicious about all that. Well, I see the hook in Mozilla also on my notebook, maybe normal ... About the fltmgr, no idea, but 3 tools show me those idt hooks that point to some codepage that is not within some module. Besides that there are some code modifications in ntkrnlpa.exe, which I'm not sure about.

I assume somewhere in the boot process some driver manipulates the IDT, I've just no idea, how to trace it to find out, which one it is. Are there tools, that can do that ? Any ideas ?

Username

Sledge337

Posts

2

Joined

Mon Apr 12, 2010 9:14 pm

Re: IDT changed, rootkit ? (addresses in 'unknown code page'

#674 by EP_X0FF
Tue Apr 13, 2010 2:17 am

Hello,

post full log from Rootkit Unhooker.

Regards.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: IDT changed, rootkit ? (addresses in 'unknown code page'

#690 by Sledge337
Wed Apr 14, 2010 1:10 am

Thanks for answering.
I've installed Outpost firewall today, which explains the new Sandbox, afwcore, wl_hook entries.

But the IDT entries like

Code: Select all

IDT-->Int 63h-->Unexpected Interrupt, Type: IDT modification [unknown_code_page]

were there before.

Code: Select all

>SSDT State
NtAssignProcessToJobObject
Actual Address 0xF0DEAA60
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtClose
Actual Address 0xF0DCFBF0
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtConnectPort
Actual Address 0xF0DEC920
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtCreateFile
Actual Address 0xF0DCBF60
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtCreateKey
Actual Address 0xF0DD7090
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtCreateProcess
Actual Address 0xF0DE32B0
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtCreateProcessEx
Actual Address 0xF0DE3BB0
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtCreateSection
Actual Address 0xF0DCAD10
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtCreateSymbolicLinkObject
Actual Address 0xF0DD6E40
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtCreateThread
Actual Address 0xF0DE1D70
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtDebugActiveProcess
Actual Address 0xF0DEFF30
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtDeleteFile
Actual Address 0xF0DD5B20
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtDeleteKey
Actual Address 0xF0DD8900
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtDeleteValueKey
Actual Address 0xF0DDF3A0
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtLoadDriver
Actual Address 0xF0DE0BB0
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtMakeTemporaryObject
Actual Address 0xF0DD66B0
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtOpenFile
Actual Address 0xF0DCEC10
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtOpenKey
Actual Address 0xF0DD7FC0
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtOpenProcess
Actual Address 0xF0DE5CA0
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtOpenSection
Actual Address 0xF0DCB580
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtOpenThread
Actual Address 0xF0DE5060
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtProtectVirtualMemory
Actual Address 0xF0DEBDA0
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtQueryDirectoryFile
Actual Address 0xF0DD08A0
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtQueryKey
Actual Address 0xF0DDA750
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtQueryValueKey
Actual Address 0xF0DDAFA0
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtQueueApcThread
Actual Address 0xF0DE9ED0
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtRenameKey
Actual Address 0xF0DDE590
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtReplaceKey
Actual Address 0xF0DDC500
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtRequestPort
Actual Address 0xF0DEEA50
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtRequestWaitReplyPort
Actual Address 0xF0DEED70
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtRestoreKey
Actual Address 0xF0DDDD20
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtSaveKey
Actual Address 0xF0DDCC80
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtSaveKeyEx
Actual Address 0xF0DDD4D0
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtSecureConnectPort
Actual Address 0xF0DED480
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtSetContextThread
Actual Address 0xF0DE9440
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtSetInformationDebugObject
Actual Address 0xF0DF0520
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtSetInformationFile
Actual Address 0xF0DD1BF0
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtSetSystemInformation
Actual Address 0xF0DE01C0
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtSetValueKey
Actual Address 0xF0DDB820
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtSuspendProcess
Actual Address 0xF0DE8190
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtSuspendThread
Actual Address 0xF0DE8AC0
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtSystemDebugControl
Actual Address 0xF0DEF770
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtTerminateProcess
Actual Address 0xF0DE6790
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtTerminateThread
Actual Address 0xF0DE7620
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtUnloadDriver
Actual Address 0xF0DE1530
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtWriteVirtualMemory
Actual Address 0xF0DEB2B0
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

>Shadow
NtUserAttachThreadInput
Actual Address 0xF0DF41A0
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtUserGetAsyncKeyState
Actual Address 0xF0DF3DB0
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtUserGetKeyState
Actual Address 0xF0DF36B0
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtUserMessageCall
Actual Address 0xF0DF1ED0
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtUserPostMessage
Actual Address 0xF0DF13D0
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtUserPostThreadMessage
Actual Address 0xF0DF1760
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtUserRegisterRawInputDevices
Actual Address 0xF0DF4600
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtUserSendInput
Actual Address 0xF0DF3380
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtUserSetWindowsHookEx
Actual Address 0xF0DF2290
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

NtUserSetWinEventHook
Actual Address 0xF0DF2A60
Hooked by: C:\WINDOWS\system32\drivers\SandBox.sys

>Processes
>Drivers
>Stealth
>Files
>Hooks
IDT-->Int 00h-->Divide Error, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 01h-->DEBUG TRAP, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 03h-->Breakpoint, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 04h-->INTO, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 05h-->BOUND/Print Screen, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 06h-->Invalid Opcode, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 07h-->NPX Not Available, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 09h-->NPX Segment Overrun, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 0Ah-->Invalid TSS, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 0Bh-->Segment Not Present, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 0Ch-->Stack Fault, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 0Dh-->General Protection, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 0Eh-->Page Fault, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 0Fh-->Intel Reserved, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 10h-->486 coprocessor error, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 11h-->486 alignment, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 12h-->Intel Reserved, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 13h-->XMMI unmasked numeric exception, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 14h-->Intel Reserved, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 15h-->Intel Reserved, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 16h-->Intel Reserved, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 17h-->Intel Reserved, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 18h-->Intel Reserved, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 19h-->Intel Reserved, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 1Ah-->Intel Reserved, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 1Bh-->Intel Reserved, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 1Ch-->Intel Reserved, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 1Dh-->Intel Reserved, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 1Eh-->Intel Reserved, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 1Fh-->Reserved for APIC, Type: IDT modification [hal.dll]
IDT-->Int 2Ah-->_KiGetTickCount, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 2Bh-->_KiCallbackReturn, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 2Ch-->_KiRaiseAssertion, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 2Dh-->_KiDebugService, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 2Eh-->_KiSystemService, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 2Fh-->Reserved for APIC, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 30h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 31h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 32h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 33h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 34h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 35h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 36h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 37h-->Unexpected Interrupt, Type: IDT modification [hal.dll]
IDT-->Int 38h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 39h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 3Ah-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 3Bh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 3Ch-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 3Dh-->Unexpected Interrupt, Type: IDT modification [hal.dll]
IDT-->Int 3Eh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 3Fh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 40h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 41h-->Unexpected Interrupt, Type: IDT modification [hal.dll]
IDT-->Int 42h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 43h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 44h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 45h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 46h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 47h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 48h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 49h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 4Ah-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 4Bh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 4Ch-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 4Dh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 4Eh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 4Fh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 50h-->Unexpected Interrupt, Type: IDT modification [hal.dll]
IDT-->Int 51h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 52h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 53h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 54h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 55h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 56h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 57h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 58h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 59h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 5Ah-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 5Bh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 5Ch-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 5Dh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 5Eh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 5Fh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 60h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 61h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 62h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 63h-->Unexpected Interrupt, Type: IDT modification [unknown_code_page]
IDT-->Int 64h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 65h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 66h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 67h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 68h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 69h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 6Ah-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 6Bh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 6Ch-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 6Dh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 6Eh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 6Fh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 70h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 71h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 72h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 73h-->Unexpected Interrupt, Type: IDT modification [unknown_code_page]
IDT-->Int 74h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 75h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 76h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 77h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 78h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 79h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 7Ah-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 7Bh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 7Ch-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 7Dh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 7Eh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 7Fh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 80h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 81h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 82h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 83h-->Unexpected Interrupt, Type: IDT modification [unknown_code_page]
IDT-->Int 84h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 85h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 86h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 87h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 88h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 89h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 8Ah-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 8Bh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 8Ch-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 8Dh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 8Eh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 8Fh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 90h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 91h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 92h-->Unexpected Interrupt, Type: IDT modification [unknown_code_page]
IDT-->Int 93h-->Unexpected Interrupt, Type: IDT modification [unknown_code_page]
IDT-->Int 94h-->Unexpected Interrupt, Type: IDT modification [unknown_code_page]
IDT-->Int 95h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 96h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 97h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 98h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 99h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 9Ah-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 9Bh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 9Ch-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 9Dh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 9Eh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int 9Fh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int A0h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int A1h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int A2h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int A3h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int A4h-->Unexpected Interrupt, Type: IDT modification [unknown_code_page]
IDT-->Int A5h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int A6h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int A7h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int A8h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int A9h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int AAh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int ABh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int ACh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int ADh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int AEh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int AFh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int B0h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int B1h-->Unexpected Interrupt, Type: IDT modification [unknown_code_page]
IDT-->Int B2h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int B3h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int B4h-->Unexpected Interrupt, Type: IDT modification [unknown_code_page]
IDT-->Int B5h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int B6h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int B7h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int B8h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int B9h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int BAh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int BBh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int BCh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int BDh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int BEh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int BFh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int C0h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int C1h-->Unexpected Interrupt, Type: IDT modification [hal.dll]
IDT-->Int C2h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int C3h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int C4h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int C5h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int C6h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int C7h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int C8h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int C9h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int CAh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int CBh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int CCh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int CDh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int CEh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int CFh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int D0h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int D1h-->Unexpected Interrupt, Type: IDT modification [hal.dll]
IDT-->Int D2h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int D3h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int D4h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int D5h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int D6h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int D7h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int D8h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int D9h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int DAh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int DBh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int DCh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int DDh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int DEh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int DFh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int E0h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int E1h-->Unexpected Interrupt, Type: IDT modification [hal.dll]
IDT-->Int E2h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int E3h-->Unexpected Interrupt, Type: IDT modification [hal.dll]
IDT-->Int E4h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int E5h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int E6h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int E7h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int E8h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int E9h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int EAh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int EBh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int ECh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int EDh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int EEh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int EFh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int F0h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int F1h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int F2h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int F3h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int F4h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int F5h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int F6h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int F7h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int F8h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int F9h-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int FAh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int FBh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int FCh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
IDT-->Int FDh-->Unexpected Interrupt, Type: IDT modification [hal.dll]
IDT-->Int FEh-->Unexpected Interrupt, Type: IDT modification [hal.dll]
IDT-->Int FFh-->Unexpected Interrupt, Type: IDT modification [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D510, Type: Inline - RelativeJump 0xE0BD0510 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D53C, Type: Inline - RelativeJump 0xE0BD053C [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D78A, Type: Inline - RelativeJump 0xE0BD078A [ntkrnlpa.exe]
ntkrnlpa.exe+0x0002D860, Type: Inline - RelativeJump 0xE0BD0860 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006ECAE, Type: Inline - RelativeJump 0xE0C11CAE [ntkrnlpa.exe]
tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xF0FC5454 [afwcore.sys]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification 0xF64ADB3C [afwcore.sys]
[1500]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218 [shimeng.dll]
[1500]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4 [shimeng.dll]
[1500]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268 [shimeng.dll]
[1500]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4 [shimeng.dll]
[1500]explorer.exe-->user32.dll-->ChangeDisplaySettingsExA, Type: Inline - RelativeJump 0x7E42384E [wl_hook.dll]
[1500]explorer.exe-->user32.dll-->ChangeDisplaySettingsExW, Type: Inline - RelativeJump 0x7E4595BD [wl_hook.dll]
[1500]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C [shimeng.dll]
[1500]explorer.exe-->user32.dll-->SetForegroundWindow, Type: Inline - RelativeJump 0x7E4242ED [wl_hook.dll]
[1500]explorer.exe-->user32.dll-->SetWindowPos, Type: Inline - RelativeJump 0x7E4299F3 [wl_hook.dll]
[1500]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D931480 [shimeng.dll]
[1500]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C [shimeng.dll]
[1712]winlogon.exe-->user32.dll-->ChangeDisplaySettingsExA, Type: Inline - RelativeJump 0x7E42384E [wl_hook.dll]
[1712]winlogon.exe-->user32.dll-->ChangeDisplaySettingsExW, Type: Inline - RelativeJump 0x7E4595BD [wl_hook.dll]
[1712]winlogon.exe-->user32.dll-->SetForegroundWindow, Type: Inline - RelativeJump 0x7E4242ED [wl_hook.dll]
[1712]winlogon.exe-->user32.dll-->SetWindowPos, Type: Inline - RelativeJump 0x7E4299F3 [wl_hook.dll]
[1756]services.exe-->user32.dll-->ChangeDisplaySettingsExA, Type: Inline - RelativeJump 0x7E42384E [wl_hook.dll]
[1756]services.exe-->user32.dll-->ChangeDisplaySettingsExW, Type: Inline - RelativeJump 0x7E4595BD [wl_hook.dll]
[1756]services.exe-->user32.dll-->SetForegroundWindow, Type: Inline - RelativeJump 0x7E4242ED [wl_hook.dll]
[1756]services.exe-->user32.dll-->SetWindowPos, Type: Inline - RelativeJump 0x7E4299F3 [wl_hook.dll]
[2088]WLanGUI.exe-->user32.dll-->ChangeDisplaySettingsExA, Type: Inline - RelativeJump 0x7E42384E [wl_hook.dll]
[2088]WLanGUI.exe-->user32.dll-->ChangeDisplaySettingsExW, Type: Inline - RelativeJump 0x7E4595BD [wl_hook.dll]
[2088]WLanGUI.exe-->user32.dll-->SetForegroundWindow, Type: Inline - RelativeJump 0x7E4242ED [wl_hook.dll]
[2088]WLanGUI.exe-->user32.dll-->SetWindowPos, Type: Inline - RelativeJump 0x7E4299F3 [wl_hook.dll]
[2128]wscntfy.exe-->user32.dll-->ChangeDisplaySettingsExA, Type: Inline - RelativeJump 0x7E42384E [wl_hook.dll]
[2128]wscntfy.exe-->user32.dll-->ChangeDisplaySettingsExW, Type: Inline - RelativeJump 0x7E4595BD [wl_hook.dll]
[2128]wscntfy.exe-->user32.dll-->SetForegroundWindow, Type: Inline - RelativeJump 0x7E4242ED [wl_hook.dll]
[2128]wscntfy.exe-->user32.dll-->SetWindowPos, Type: Inline - RelativeJump 0x7E4299F3 [wl_hook.dll]
[2168]ctfmon.exe-->user32.dll-->ChangeDisplaySettingsExA, Type: Inline - RelativeJump 0x7E42384E [wl_hook.dll]
[2168]ctfmon.exe-->user32.dll-->ChangeDisplaySettingsExW, Type: Inline - RelativeJump 0x7E4595BD [wl_hook.dll]
[2168]ctfmon.exe-->user32.dll-->SetForegroundWindow, Type: Inline - RelativeJump 0x7E4242ED [wl_hook.dll]
[2168]ctfmon.exe-->user32.dll-->SetWindowPos, Type: Inline - RelativeJump 0x7E4299F3 [wl_hook.dll]
[2196]EM_EXEC.EXE-->user32.dll-->ChangeDisplaySettingsExA, Type: Inline - RelativeJump 0x7E42384E [wl_hook.dll]
[2196]EM_EXEC.EXE-->user32.dll-->ChangeDisplaySettingsExW, Type: Inline - RelativeJump 0x7E4595BD [wl_hook.dll]
[2196]EM_EXEC.EXE-->user32.dll-->SetForegroundWindow, Type: Inline - RelativeJump 0x7E4242ED [wl_hook.dll]
[2196]EM_EXEC.EXE-->user32.dll-->SetWindowPos, Type: Inline - RelativeJump 0x7E4299F3 [wl_hook.dll]
[2248]soffice.exe-->user32.dll-->ChangeDisplaySettingsExA, Type: Inline - RelativeJump 0x7E42384E [wl_hook.dll]
[2248]soffice.exe-->user32.dll-->ChangeDisplaySettingsExW, Type: Inline - RelativeJump 0x7E4595BD [wl_hook.dll]
[2248]soffice.exe-->user32.dll-->SetForegroundWindow, Type: Inline - RelativeJump 0x7E4242ED [wl_hook.dll]
[2248]soffice.exe-->user32.dll-->SetWindowPos, Type: Inline - RelativeJump 0x7E4299F3 [wl_hook.dll]
[2288]soffice.bin-->user32.dll-->ChangeDisplaySettingsExA, Type: Inline - RelativeJump 0x7E42384E [wl_hook.dll]
[2288]soffice.bin-->user32.dll-->ChangeDisplaySettingsExW, Type: Inline - RelativeJump 0x7E4595BD [wl_hook.dll]
[2288]soffice.bin-->user32.dll-->SetForegroundWindow, Type: Inline - RelativeJump 0x7E4242ED [wl_hook.dll]
[2288]soffice.bin-->user32.dll-->SetWindowPos, Type: Inline - RelativeJump 0x7E4299F3 [wl_hook.dll]
[3588]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C9163C3 [firefox.exe]
[3588]firefox.exe-->user32.dll-->ChangeDisplaySettingsExA, Type: Inline - RelativeJump 0x7E42384E [wl_hook.dll]
[3588]firefox.exe-->user32.dll-->ChangeDisplaySettingsExW, Type: Inline - RelativeJump 0x7E4595BD [wl_hook.dll]
[3588]firefox.exe-->user32.dll-->SetForegroundWindow, Type: Inline - RelativeJump 0x7E4242ED [wl_hook.dll]
[3588]firefox.exe-->user32.dll-->SetWindowPos, Type: Inline - RelativeJump 0x7E4299F3 [wl_hook.dll]
[480]spoolsv.exe-->user32.dll-->ChangeDisplaySettingsExA, Type: Inline - RelativeJump 0x7E42384E [wl_hook.dll]
[480]spoolsv.exe-->user32.dll-->ChangeDisplaySettingsExW, Type: Inline - RelativeJump 0x7E4595BD [wl_hook.dll]
[480]spoolsv.exe-->user32.dll-->SetForegroundWindow, Type: Inline - RelativeJump 0x7E4242ED [wl_hook.dll]
[480]spoolsv.exe-->user32.dll-->SetWindowPos, Type: Inline - RelativeJump 0x7E4299F3 [wl_hook.dll]
[776]WLanNetService.exe-->user32.dll-->ChangeDisplaySettingsExA, Type: Inline - RelativeJump 0x7E42384E [wl_hook.dll]
[776]WLanNetService.exe-->user32.dll-->ChangeDisplaySettingsExW, Type: Inline - RelativeJump 0x7E4595BD [wl_hook.dll]
[776]WLanNetService.exe-->user32.dll-->SetForegroundWindow, Type: Inline - RelativeJump 0x7E4242ED [wl_hook.dll]
[776]WLanNetService.exe-->user32.dll-->SetWindowPos, Type: Inline - RelativeJump 0x7E4299F3 [wl_hook.dll]
[820]jqs.exe-->user32.dll-->ChangeDisplaySettingsExA, Type: Inline - RelativeJump 0x7E42384E [wl_hook.dll]
[820]jqs.exe-->user32.dll-->ChangeDisplaySettingsExW, Type: Inline - RelativeJump 0x7E4595BD [wl_hook.dll]
[820]jqs.exe-->user32.dll-->SetForegroundWindow, Type: Inline - RelativeJump 0x7E4242ED [wl_hook.dll]
[820]jqs.exe-->user32.dll-->SetWindowPos, Type: Inline - RelativeJump 0x7E4299F3 [wl_hook.dll]
[880]PnkBstrA.exe-->user32.dll-->ChangeDisplaySettingsExA, Type: Inline - RelativeJump 0x7E42384E [wl_hook.dll]
[880]PnkBstrA.exe-->user32.dll-->ChangeDisplaySettingsExW, Type: Inline - RelativeJump 0x7E4595BD [wl_hook.dll]
[880]PnkBstrA.exe-->user32.dll-->SetForegroundWindow, Type: Inline - RelativeJump 0x7E4242ED [wl_hook.dll]
[880]PnkBstrA.exe-->user32.dll-->SetWindowPos, Type: Inline - RelativeJump 0x7E4299F3 [wl_hook.dll]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

Username

Sledge337

Posts

2

Joined

Mon Apr 12, 2010 9:14 pm

Re: IDT changed, rootkit ? (addresses in 'unknown code page'

#691 by EP_X0FF
Wed Apr 14, 2010 1:47 am

It will be useful if you will be able to provide sample of IDT handler code.

This can be done with WinDBG + symbols.

lkd: u address_of_IDT_entry l20

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact